From 4245ea576faba95599babdf31413853a73faa895 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Tue, 7 Apr 2026 12:27:17 -0700 Subject: [PATCH] Chore: address more zizmor flags --- .github/dependabot.yml | 2 + .github/workflows/ci-backend.yml | 53 +++++++++++++++++-------- .github/workflows/ci-docker.yml | 1 + .github/workflows/ci-frontend.yml | 27 +++++++++---- .github/workflows/ci-release.yml | 38 +++++++++++++----- .github/workflows/cleanup-tags.yml | 2 + .github/workflows/crowdin.yml | 1 + .github/workflows/translate-strings.yml | 1 + .github/zizmor.yml | 32 --------------- 9 files changed, 89 insertions(+), 68 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8ac712f97..8f5ed1cb6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -164,6 +164,8 @@ updates: directory: "/" # Location of package manifests schedule: interval: "monthly" + cooldown: + default-days: 7 groups: pre-commit-dependencies: patterns: diff --git a/.github/workflows/ci-backend.yml b/.github/workflows/ci-backend.yml index 2a52b84f0..2e1560126 100644 --- a/.github/workflows/ci-backend.yml +++ b/.github/workflows/ci-backend.yml @@ -30,10 +30,13 @@ jobs: persist-credentials: false - name: Decide run mode id: force + env: + EVENT_NAME: ${{ github.event_name }} + REF_NAME: ${{ github.ref_name }} run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then echo "run_all=true" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then + elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then echo "run_all=true" >> "$GITHUB_OUTPUT" else echo "run_all=false" >> "$GITHUB_OUTPUT" @@ -41,15 +44,22 @@ jobs: - name: Set diff range id: range if: steps.force.outputs.run_all != 'true' + env: + BEFORE_SHA: ${{ github.event.before }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + EVENT_CREATED: ${{ github.event.created }} + EVENT_NAME: ${{ github.event_name }} + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + SHA: ${{ github.sha }} run: | - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event.created }}" == "true" ]]; then - echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT" + if [[ "${EVENT_NAME}" == "pull_request" ]]; then + echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT" + elif [[ "${EVENT_CREATED}" == "true" ]]; then + echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT" else - echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT" + echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT" fi - echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "ref=${SHA}" >> "$GITHUB_OUTPUT" - name: Detect changes id: filter if: steps.force.outputs.run_all != 'true' @@ -104,9 +114,11 @@ jobs: run: | sudo cp docker/rootfs/etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml - name: Install Python dependencies + env: + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | uv sync \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ --group testing \ --frozen - name: List installed Python dependencies @@ -114,14 +126,15 @@ jobs: uv pip list - name: Install NLTK data run: | - uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d ${{ env.NLTK_DATA }} + uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d "${NLTK_DATA}" - name: Run tests env: NLTK_DATA: ${{ env.NLTK_DATA }} PAPERLESS_CI_TEST: 1 + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | uv run \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ --dev \ --frozen \ pytest @@ -169,9 +182,11 @@ jobs: enable-cache: true python-version: ${{ steps.setup-python.outputs.python-version }} - name: Install Python dependencies + env: + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | uv sync \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ --group testing \ --group typing \ --frozen @@ -207,19 +222,23 @@ jobs: runs-on: ubuntu-slim steps: - name: Check gate + env: + BACKEND_CHANGED: ${{ needs.changes.outputs.backend_changed }} + TEST_RESULT: ${{ needs.test.result }} + TYPING_RESULT: ${{ needs.typing.result }} run: | - if [[ "${{ needs.changes.outputs.backend_changed }}" != "true" ]]; then + if [[ "${BACKEND_CHANGED}" != "true" ]]; then echo "No backend-relevant changes detected." exit 0 fi - if [[ "${{ needs.test.result }}" != "success" ]]; then - echo "::error::Backend test job result: ${{ needs.test.result }}" + if [[ "${TEST_RESULT}" != "success" ]]; then + echo "::error::Backend test job result: ${TEST_RESULT}" exit 1 fi - if [[ "${{ needs.typing.result }}" != "success" ]]; then - echo "::error::Backend typing job result: ${{ needs.typing.result }}" + if [[ "${TYPING_RESULT}" != "success" ]]; then + echo "::error::Backend typing job result: ${TYPING_RESULT}" exit 1 fi diff --git a/.github/workflows/ci-docker.yml b/.github/workflows/ci-docker.yml index aa754a258..977db7d35 100644 --- a/.github/workflows/ci-docker.yml +++ b/.github/workflows/ci-docker.yml @@ -166,6 +166,7 @@ jobs: runs-on: ubuntu-24.04 needs: build-arch if: needs.build-arch.outputs.should-push == 'true' + environment: image-publishing permissions: contents: read packages: write diff --git a/.github/workflows/ci-frontend.yml b/.github/workflows/ci-frontend.yml index 8a8ff6574..5cc0f1e69 100644 --- a/.github/workflows/ci-frontend.yml +++ b/.github/workflows/ci-frontend.yml @@ -27,10 +27,13 @@ jobs: persist-credentials: false - name: Decide run mode id: force + env: + EVENT_NAME: ${{ github.event_name }} + REF_NAME: ${{ github.ref_name }} run: | - if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then echo "run_all=true" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then + elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then echo "run_all=true" >> "$GITHUB_OUTPUT" else echo "run_all=false" >> "$GITHUB_OUTPUT" @@ -38,15 +41,22 @@ jobs: - name: Set diff range id: range if: steps.force.outputs.run_all != 'true' + env: + BEFORE_SHA: ${{ github.event.before }} + DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + EVENT_CREATED: ${{ github.event.created }} + EVENT_NAME: ${{ github.event_name }} + PR_BASE_SHA: ${{ github.event.pull_request.base.sha }} + SHA: ${{ github.sha }} run: | - if [[ "${{ github.event_name }}" == "pull_request" ]]; then - echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT" - elif [[ "${{ github.event.created }}" == "true" ]]; then - echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT" + if [[ "${EVENT_NAME}" == "pull_request" ]]; then + echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT" + elif [[ "${EVENT_CREATED}" == "true" ]]; then + echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT" else - echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT" + echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT" fi - echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT" + echo "ref=${SHA}" >> "$GITHUB_OUTPUT" - name: Detect changes id: filter if: steps.force.outputs.run_all != 'true' @@ -224,6 +234,7 @@ jobs: needs: [changes, unit-tests, e2e-tests] if: needs.changes.outputs.frontend_changed == 'true' runs-on: ubuntu-24.04 + environment: bundle-analysis permissions: contents: read steps: diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index eb7d7473d..cccee436c 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -64,17 +64,21 @@ jobs: enable-cache: false python-version: ${{ steps.setup-python.outputs.python-version }} - name: Install Python dependencies + env: + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | - uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen + uv sync --python "${PYTHON_VERSION}" --dev --frozen - name: Install system dependencies run: | sudo apt-get update -qq sudo apt-get install -qq --no-install-recommends gettext liblept5 # ---- Build Documentation ---- - name: Build documentation + env: + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | uv run \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ --dev \ --frozen \ zensical build --clean @@ -83,16 +87,20 @@ jobs: run: | uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt - name: Compile messages + env: + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | cd src/ uv run \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ manage.py compilemessages - name: Collect static files + env: + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} run: | cd src/ uv run \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ manage.py collectstatic --no-input --clear - name: Assemble release package run: | @@ -210,9 +218,13 @@ jobs: working-directory: docs env: CHANGELOG: ${{ needs.publish-release.outputs.changelog }} + PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }} + VERSION: ${{ needs.publish-release.outputs.version }} run: | - git branch ${{ needs.publish-release.outputs.version }}-changelog - git checkout ${{ needs.publish-release.outputs.version }}-changelog + branch_name="${VERSION}-changelog" + + git branch "${branch_name}" + git checkout "${branch_name}" printf '# Changelog\n\n%s\n' "${CHANGELOG}" > changelog-new.md @@ -227,24 +239,28 @@ jobs: mv changelog-new.md changelog.md uv run \ - --python ${{ steps.setup-python.outputs.python-version }} \ + --python "${PYTHON_VERSION}" \ --dev \ prek run --files changelog.md || true git config --global user.name "github-actions" git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" - git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA" - git push origin ${{ needs.publish-release.outputs.version }}-changelog + git commit -am "Changelog ${VERSION} - GHA" + git push origin "${branch_name}" - name: Create pull request uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + VERSION: ${{ needs.publish-release.outputs.version }} with: script: | const { repo, owner } = context.repo; + const version = process.env.VERSION; + const head = `${version}-changelog`; const result = await github.rest.pulls.create({ - title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog', + title: `Documentation: Add ${version} changelog`, owner, repo, - head: '${{ needs.publish-release.outputs.version }}-changelog', + head, base: 'main', body: 'This PR is auto-generated by CI.' }); diff --git a/.github/workflows/cleanup-tags.yml b/.github/workflows/cleanup-tags.yml index 24895ffaa..3c4eca455 100644 --- a/.github/workflows/cleanup-tags.yml +++ b/.github/workflows/cleanup-tags.yml @@ -18,6 +18,7 @@ jobs: name: Cleanup Image Tags for ${{ matrix.primary-name }} if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + environment: registry-maintenance strategy: fail-fast: false matrix: @@ -44,6 +45,7 @@ jobs: runs-on: ubuntu-24.04 needs: - cleanup-images + environment: registry-maintenance strategy: fail-fast: false matrix: diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml index 559e83917..c43d99f80 100644 --- a/.github/workflows/crowdin.yml +++ b/.github/workflows/crowdin.yml @@ -14,6 +14,7 @@ jobs: name: Crowdin Sync if: github.repository_owner == 'paperless-ngx' runs-on: ubuntu-24.04 + environment: translation-sync steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/translate-strings.yml b/.github/workflows/translate-strings.yml index ad894abe7..dbcbd079f 100644 --- a/.github/workflows/translate-strings.yml +++ b/.github/workflows/translate-strings.yml @@ -7,6 +7,7 @@ jobs: generate-translate-strings: name: Generate Translation Strings runs-on: ubuntu-latest + environment: translation-sync permissions: contents: write steps: diff --git a/.github/zizmor.yml b/.github/zizmor.yml index f45e6bbd4..50615aef4 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -3,54 +3,22 @@ rules: ignore: # github.event_name is a GitHub-internal constant (push/pull_request/etc.), # not attacker-controllable. - - ci-backend.yml:35 - ci-docker.yml:74 - ci-docs.yml:33 - - ci-frontend.yml:32 # github.event.repository.default_branch refers to the target repo's setting, # which only admins can change; not influenced by fork PR authors. - - ci-backend.yml:47 - ci-docs.yml:45 - - ci-frontend.yml:44 # steps.setup-python.outputs.python-version is always a semver string (e.g. "3.12.0") # produced by actions/setup-python from a hardcoded env var input. - - ci-backend.yml:106 - - ci-backend.yml:121 - - ci-backend.yml:169 - ci-docs.yml:88 - ci-docs.yml:92 - - ci-release.yml:69 - - ci-release.yml:78 - - ci-release.yml:90 - - ci-release.yml:96 - - ci-release.yml:229 # needs.*.result is always one of: success/failure/cancelled/skipped. - - ci-backend.yml:211 - - ci-backend.yml:212 - - ci-backend.yml:216 - ci-docs.yml:131 - ci-docs.yml:132 - - ci-frontend.yml:259 - - ci-frontend.yml:260 - - ci-frontend.yml:264 - - ci-frontend.yml:269 - - ci-frontend.yml:274 - - ci-frontend.yml:279 # needs.changes.outputs.* is always "true" or "false". - - ci-backend.yml:206 - ci-docs.yml:126 - - ci-frontend.yml:254 # steps.build.outputs.digest is always a SHA256 digest (sha256:[a-f0-9]{64}). - ci-docker.yml:152 - # needs.publish-release.outputs.version is the git tag name (e.g. v2.14.0); - # only maintainers can push tags upstream, and the tag pattern excludes - # shell metacharacters. Used in git commands and github-script JS, not eval. - - ci-release.yml:215 - - ci-release.yml:216 - - ci-release.yml:231 - - ci-release.yml:237 - - ci-release.yml:245 - - ci-release.yml:248 dangerous-triggers: ignore: # Both workflows use pull_request_target solely to label/comment on fork PRs